DreamHost Security Issue Prompts FTP Password Resets

Yesterday on the DreamHost Status Blog, it was announced that all shell/FTP passwords would be reset due to what looks to be a security breach that was discovered on one of the DreamHost database servers.

DreamHost Security BreachDreamHost looks to have done a great job notifying affected customers via the update page, keeping them up-to-date throught out the day until the issue was resolved. It looks like all FTP passwords were indeed reset.

We recommend that all DreamHost customers log into to their accounts and check their account status. It is encouraged that you change your account passwords, and it wouldn’t hurt to change your FTP and database passwords again just to make sure.

If you read through the comments on the blog post listed above, you will see quite a few complaints about infected sites across DreamHost servers over the last few months. As of now, these infection issues do not look to be related to yesterdays security incident.

One user on the DreamHost Status Blog attributes the malware issues to the DreamHost one-click install wizard, we have not confirmed this:

Apparently, the breach occured in November via the
one-click install wizard offered by Dreamhost: One click and your whole
Wordpress / Drupal web site is installed, ready to use, automatically updated
by the wizard. Apparently, it’s the wizard itself that was compromised and
anybody who used it was affected.

We have cleaned quite a few of these websites, and most of them were infected through outdated software installed by the customer. The important note to take here is it’s crucially important to ensure you’re keeping your sites updated. Remember, security is everyone’s responsibility. If you’re running a website you have a responsibility to your readership, customers, and the online world in general.

Updated (January 21st, 2011 – 14:22 PST) DreamHost CEO released a Security Update blog post on the official DreamHost blog.

Simon Anderson, DreamHost CEO, says,

“our systems have stored and used encrypted passwords for a number of years, however the hacker found a legacy pool of unencrypted FTP/shell passwords in a database table that we had not previously deleted. We’ve now confirmed that there are no more legacy unencrypted passwords in our systems. And we’re investigating further measures to ensure security of passwords including when a customer requests their password by email (this was not the issue here, though).”

Sucuri is unclear of the impact from the breached passwords at this time, but we’ll update as we get more information about the incident.


If you’re interested in learning about your website security health, run a free scan with Sucuri SiteCheck, hopefully you’re green across the board.

About Tony Perez

Tony works at Sucuri. His passion lies in educating and bringing awareness about online threats to business owners. He spends his time giving presentations and writing content that everyday website owners can appreciate. His passions revolve around understanding the psychology of bad actors, the impacts and havoc hacks have on website owners, and thinking through the evolution of attacks. You can find his personal thoughts on security at Tony on Security and you can follow him on Twitter at @perezbox.

  • http://www.hawaii247.com/ Baron Sekiya

    Simon Anderson, DreamHost CEO, says, “our systems have stored and used encrypted passwords for a number of years, however the hacker found a legacy pool of unencrypted FTP/shell passwords in a database table that we had not previously deleted. We’ve now confirmed that there are no more legacy unencrypted passwords in our systems. And we’re investigating further measures to ensure security of passwords including when a customer requests their password by email (this was not the issue here, though).”

    • http://www.hawaii247.com/ Baron Sekiya

      Oh, and you can read that and his post here: http://blog.dreamhost.com/2012/01/21/security-update/

    • http://armeda.com/ Andres Armeda

      The post was updated with this info. Thanks!

  • Pingback: Dreamhost hacked, mass password-reset issued | ZDNet()

  • Frank

    I read on a security blog that the DreamHost security breach was due to  SSH Password attacks using domain name elements as userid. SSH logs were showing access attempts utilising elements of the reverse DNS name of the IP address being accessed.  For example using  isc.sans.org results in the userids isc, sans and org. This may be cause a number of hosting providers use the domain name itself as the userid for shell access for customers.

  • Pingback: 2012 Web Malware Trends Report Summary | Sucuri Blog()

  • Peter

    Great site here!
    I found something that might interest a lot of you here. Use this promo code
    SAVEHUGE50 to get $50 off your hosting bill with DreamHost.

Share This